The Belgian data protection authority has told Facebook to stop tracking users who logout or those that have never registered for the social network.
Photograph: Anatolii Babii / Alamy/Alamy

The Belgian privacy commission has told Facebook to stop tracking the internet activities of people who have not registered with the site or have logged out, after a “staggering” report showed alleged breaches of EU privacy law.

“Facebook tramples on European and Belgian privacy laws”, the data protection authority said in a statement. “Facebook has shown itself particularly miserly in giving precise answers,” it continued, adding that the results of its investigation were “disconcerting” and that it would take legal action if its recommendations were not followed.

Willem Debeuckelaere, president of the Belgian privacy commission, said that the way Facebook is treating its users’ private lives “without respect needs tackling”, and that “it’s make or break time.”

According to a report commissioned by the Belgian data protection agency Facebook has been tracking users on a long-term basis who visit any page – be it a fan page, profile or any other portion of the site that does not require a Facebook account to visit – belonging to the Facebook.com domain.

The opinion published on Friday noted that because Facebook has the power to link internet users’ browsing habits to their real identity, social network interactions and sensitive data including medical information, religious, sexual and political preferences, it is in a unique position compared to most of the other cases of so-called “third-party tracking”.

Explicit consent needed

The privacy commission insists that Facebook seeks explicit consent from users for any tracking related to serving ads, commonly called behavioural ads, and that its current measures are insufficient to obtain that explicit consent and are not exempt under EU law.

EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (“criterion A”) or to deliver a service specifically requested by the user (“criterion B”), neither of which apply to tracking for ads according to the watchdog.

The same law requires websites to notify users on their first visit to a site that it uses cookies, requesting consent to do so.

A cookie is a small file placed on a user’s computer by a website that stores settings, previous activities and other small amounts of information needed by the site. They are sent to the site on each visit and can therefore be used to identify a user’s computer and track their movements across the web.

The opinion also states that Facebook should only track users when logged into the social network and not when logged out, using session cookies which expire after a set time period or when no longer needed.

Social plugins on 13m sites

The watchdog’s opinion was published after scrutinising the findings of a study it commissioned into Facebook’s use of tracking technology and amendments made to its privacy.

The report found that Facebook’s social plugins such as the “Like” button, which has been placed on more than 13m sites including health and government sites, read tracking cookies and send that data back to Facebook.

The data protection authority recommends that website owners using Facebook’s social plugins implement a two-stage click-through process so that users not wanting to interact with Facebook are not exposed to the service.

It also requests that Facebook alter the design of its plugins so that the mere presence of a social plug-in on an external website does not lead to the transmission of data to Facebook

Users are also advised to adopt the use of privacy-guarding software, such as Privacy Badger, Ghostery or Disconnect browser extensions.

‘Facebook is already regulated in Europe’

A Facebook spokesman said: “As we expressed to the CBPL in person when we met, there is nothing more important to us than the privacy of our users and we work hard to make sure people have control over what they share and with whom. Facebook is already regulated in Europe and complies with European data protection law, so the applicability of the CBPL’s efforts are unclear. But we will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner.”

The Irish data protection watchdog declined to comment.

The opinion comes at a time of increased scepticism in Europe over the practices of US technology companies when it comes to user data. Many operate their European businesses from Ireland, which has its own data protection authority.

Facebook, in particular, has been very bullish over the fact that it conforms to the letter of the law as laid down by Ireland. Under European Union law, companies that conform and are governed by one member state, in this case Ireland, can operate in other parts of Europe.

However, there is growing political pressure outside of Ireland to investigate the practices of Facebook and others, including Google, concerning data privacy.

Probed all over Europe

The Belgian regulator said it has the power to investigate the company’s possible breaches of its citizens’ privacy rights because Facebook operates a politically and operationally active office within the country.

The Belgian data protection authority does not have the power to fine companies, such as Facebook, but can initiate lawsuits and can be aided by the Belgian prosecution service if breaches of law are found.

The opinion could also carry weight with Article 29, which is currently discussing the possibility of establishing a pan-European data regulator.

Facebook was also recently ordered by a Vienna court to respond to a class action data privacy lawsuit that was filed against Facebook in Austria by privacy activist and lawyer Max Schrems, which is seeking damages of €500 (£397) per plaintiff for alleged data protection violations.